Re: [Opencryptoki-tech] [libica PATCH] make suite.out user-friendly

Tue, 17 Jan 2017 04:50:54 -0800 

Hi,

When libica is running in fips mode (see icastats), /dev/hwrng
or /dev/prandom must be available.

Best regards
-- Patrick Steuer

Crypto for Linux on z Systems
Phone: +49-7031-16-1600
IBM Deutschland Research & Development GmbH



From:   Harald Freudenberger <fre...@linux.vnet.ibm.com>
To:     Dan Horák <d...@danny.cz>
Cc:     opencryptoki-tech@lists.sourceforge.net, Patrick
            Steuer/Germany/IBM@IBMDE
Date:   16.01.2017 12:41
Subject:        Re: [Opencryptoki-tech] [libica PATCH] make suite.out
            user-friendly





On 01/13/2017 07:35 PM, Dan Horák wrote:
> On Fri, 13 Jan 2017 16:01:34 +0100
> Harald Freudenberger <fre...@linux.vnet.ibm.com> wrote:
>
>> On 01/13/2017 02:27 PM, Dan Horák wrote:
>>> On Fri, 13 Jan 2017 13:52:19 +0100
>>> Dan Horák <d...@danny.cz> wrote:
>>>
>>>> On Fri, 13 Jan 2017 11:17:47 +0100
>>>> Dan Horák <d...@danny.cz> wrote:
>>>>
>>>>> Put some separators to the test cases outputs so suite.out
>>>>> is more readable.
>>>> you can see the result in the build.log at
>>>> https://s390.koji.fedoraproject.org/koji/taskinfo?taskID=2446194
>>>>
>>>> Hm, the tests all passed when building the rpm locally.
>>> it's missing /dev/prandom in the builder's chroot
>> Hi Dan
>> Why should opencryptoki have an dependency to /dev/prandom ?
>> Libica and thus on top the ica token would attempt to
>> open /dev/prandom during shared library initialization but if this
>> node is not available the fallback is to use /dev/urandom instead.
> that's what strace told me, libica is built with FIPS support enabled
>
> running LD_LIBRARY_PATH=../.libs PATH=..:$PATH strace ./icastats_test
> in Fedora Rawhide (to-be Fedora 26) gives
> ...
> set_tid_address(0x3ff876767d0)          = 45248
> set_robust_list(0x3ff876767e0, 24)      = 0
> rt_sigaction(SIGRTMIN, {0x3ff87206000, [], SA_SIGINFO}, NULL, 8) = 0
> rt_sigaction(SIGRT_1, {0x3ff872060c0, [], SA_RESTART|SA_SIGINFO}, NULL,
8) = 0
> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
> prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
rlim_max=RLIM64_INFINITY}) = 0
> rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP RTMIN RT_1], [], 8) = 0
> rt_sigaction(SIGILL, {0x3ff873c3f98, ~[ILL TRAP RTMIN RT_1], 0},
{SIG_DFL, [], 0}, 8) = 0
> rt_sigprocmask(SIG_BLOCK, NULL, ~[ILL TRAP KILL STOP RTMIN RT_1], 8) = 0
> rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> access("/etc/system-fips", F_OK)        = -1 ENOENT (No such file or
directory)
> geteuid()                               = 0
> statfs("/dev/shm/", {f_type=TMPFS_MAGIC, f_bsize=4096, f_blocks=238325,
f_bfree=238324, f_bavail=238324, f_files=238325, f_ffree=238323, f_fsid={0,
0}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
> futex(0x3ff87222370, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> open("/dev/shm/icastats_0", O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC, 0600) =
3
> ftruncate(3, 464)                       = 0
> mmap(NULL, 464, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0x3ff87500000
> rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> rt_sigaction(SIGILL, {0x3ff87596690, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> futex(0x3ff875ad838, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> brk(NULL)                               = 0x8536d000
> brk(0x8538e000)                         = 0x8538e000
> rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0}, 8) = 0
> rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0}, 8) = 0
> rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0}, 8) = 0
> rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> read(4, "0\n", 1024)                    = 2
> close(4)                                = 0
> open("/dev/hwrng", O_RDONLY)            = -1 ENOENT (No such file or
directory)
> open("/dev/prandom", O_RDONLY)          = -1 ENOENT (No such file or
directory)
> open("/dev/hwrng", O_RDONLY)            = -1 ENOENT (No such file or
directory)
> open("/dev/prandom", O_RDONLY)          = -1 ENOENT (No such file or
directory)
> open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
> fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
4096) = 2102
> lseek(4, -1337, SEEK_CUR)               = 765
> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
4096) = 1337
> close(4)                                = 0
> socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
> connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 ENOENT (No
such file or directory)
> close(4)                                = 0
> futex(0x3ff874a6490, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> futex(0x3ff874a659c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> open("/udev/z90crypt", O_RDWR)          = -1 ENOENT (No such file or
directory)
> open("/dev/z90crypt", O_RDWR)           = -1 ENOENT (No such file or
directory)
> open("/dev/zcrypt", O_RDWR)             = -1 ENOENT (No such file or
directory)
> open("/sys/devices/ap/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
> rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
> clone(child_stack=NULL, flags=CLONE_PARENT_SETTID|SIGCHLD,
parent_tidptr=0x3ffe37fe87c) = 45249
> wait4(45249, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 45249
> rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=45249,
si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
> fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> geteuid()                               = 0
> munmap(0x3ff87500000, 464)              = 0
> close(3)                                = 0
> write(1, "Error in ica_random_number_gener"..., 37Error in
ica_random_number_generate: ) = 37
> exit_group(13)                          = ?
> +++ exited with 13 +++
>
>
>                                Dan
>

looks like you are running an fips enabled kernel. Well then libica (if
build with FIPS support)
is also running in fips mode. Not sure if libica initialization will refuse
if there is no
/dev/hwrng and /dev/prandom available. @Patrick can you answer this ?

regards H.Freudenberger



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech

Reply via email to